Key generation in a communication system

ABSTRACT

A communication system generates a Master Session Key (MSK) for accesses to a system entity that does not provide encryption to traffic. Both the home server and the user generate the same MSK. The MSK is used to generate encryption keys for traffic. In one embodiment the MSK is generated using a hashing function and information specific to the requestor. The home server determines the need to generate the MSK based on information contained in an access request message. Once generated, the MSK is provided to the system entity to enable the entity to encrypt communications.

REFERENCE TO CO-PENDING APPLICATIONS FOR PATENT

[0001] The present Application for Patent is related to the followingco-pending Applications for Patent:

[0002] “Authentication in a Communication System,” by Raymond Hsu, filedconcurrently herewith, having Attorney Docket No. 020499, assigned tothe assignee hereof and hereby expressly incorporated by reference; and

[0003] “Inter-working Function for a Communication System,” by RaymondHsu, filed concurrently herewith, having Attorney Docket No. 020503,assigned to the assignee hereof and hereby expressly incorporated byreference.

BACKGROUND

[0004] 1. Field

[0005] The present relates to an inter-working function for acommunication system, and more specifically to mechanisms for commonauthentication and key exchange through an inter-working function foruse in a Wireless Local Area Network (WLAN).

[0006] 2. Background

[0007] A Wireless Local Area Network (WLAN) allows users virtuallyunrestricted access to Internet Protocol (IP) services and datanetworks. The use of a WLAN is not limited to laptop computers and othercomputing devices, but is rapidly expanding to include cellulartelephones, Personal Digital Assistants (PDA)s, and other small wirelessdevices supported by an external network or carrier. For example, awireless device communicating via a cellular carrier may roam into aWLAN in a cyber-cafe or workspace. In this situation, the wirelessdevice has access to the cellular system, but desires access to theWLAN. The WLAN access requires authentication. As the wireless devicehas already gained access to the cellular system, the need for furtherauthentication is redundant. There is a need therefore, for a mechanismthat allows a common authentication for access to a cellular system andto a WLAN. Further, there is a need for a common mechanism forgenerating encryption keys used during communications.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008]FIG. 1 is a communication system including an High Data Rate orHDR type network and a Wireless Local Area Network (WLAN).

[0009]FIG. 2 is a timing diagram of authentication procedure in acommunication system.

[0010]FIG. 3 is a timing diagram of an authentication procedure in acommunication system.

[0011]FIGS. 4 and 5 are access request message formats.

[0012]FIG. 6 is a wireless apparatus including functionality to generatea Master Session Key (MSK).

DETAILED DESCRIPTION

[0013] The word “exemplary” is used herein to mean “serving as anexample, instance, or illustration.” Any embodiment described herein as“exemplary” is not necessarily to be construed as preferred oradvantageous over other embodiments.

[0014] An HDR subscriber station, referred to herein as an accessterminal (AT), may be mobile or stationary, and may communicate with oneor more HDR base stations, referred to herein as modem pool transceivers(MPTs). An access terminal transmits and receives data packets throughone or more modem pool transceivers to an HDR base station controller,referred to herein as a modem pool controller (MPC). Modem pooltransceivers and modem pool controllers are parts of a network called anaccess network. An access network transports data packets betweenmultiple access terminals. The access network may be further connectedto additional networks outside the access network, such as a corporateintranet or the Internet, and may transport data packets between eachaccess terminal and such outside networks. An access terminal that hasestablished an active traffic channel connection with one or more modempool transceivers is called an active access terminal, and is said to bein a traffic state. An access terminal that is in the process ofestablishing an active traffic channel connection with one or more modempool transceivers is said to be in a connection setup state. An accessterminal may be any data device that communicates through a wirelesschannel or through a wired channel, for example using fiber optic orcoaxial cables. An access terminal may further be any of a number oftypes of devices including but not limited to PC card, compact flash,external or internal modem, or wireless or wireline phone. Thecommunication link through which the access terminal sends signals tothe modem pool transceiver is called a reverse link. The communicationlink through which a modem pool transceiver sends signals to an accessterminal is called a forward link.

[0015]FIG. 1 illustrates a communication system having a Wireless LocalArea Network (WLAN) 104 with multiple Access Points (APs). An AP is ahub or bridge that provides a star topology control of the wireless sideof the WLAN 104, as well as access to a wired network.

[0016] Each AP 110, as well as others not shown, supports a connectionto a data service, such as the Internet. A MS 102, such as a laptopcomputer, or other digital computing device, communicates with an AP viathe air interface, thus the term Wireless LAN. The AP then communicateswith an Authentication Server (AS) or Authentication Center (AC). The ACis a component for performing authentication services for devicesrequesting admittance to a network. Implementations include RemoteAuthentication Dial-In User Service (RADIUS), which is an Internet userauthentication described in RFC 2138, “Remote Authentication Dial InUser Service (RADIUS)” by C. Rigney et al., published April 1997, andother Authentication, Authorization and Accounting (AAA) servers.

[0017] Wireless networking is emerging as a significant aspect ofinternetworking. It presents a set of unique issues based on the factthat the only boundary of a wireless network is the radio signalstrength. There is no wiring to define membership in a network. There isno physical method to restrict a system within radio range to be amember of a wireless network. Wireless networking, more than any othernetworking technology, needs an authentication and access controlmechanism. Various groups are currently working on developing a standardauthentication mechanism. Currently the accepted standard is the IEEE802.11.

[0018] The nature of an RF based network leaves it open to packetinterception by any radio within range of a transmitter. Interceptioncan occur far outside the users ‘working’ range by using hi-gainantennas. With readily available tools, the eavesdropper is not limitedto just collecting packets for later analysis, but can actually seeinteractive sessions like web pages viewed by a valid wireless user. Aneavesdropper can also catch weak authentication exchanges, like somewebsite logins. The eavesdropper could later duplicate the logon andgain access.

[0019] Once an attacker has gained the knowledge of how a WLAN controlsadmittance, he may be able to either gain admittance to the network onhis own, or steal a valid user's access. Stealing a user's access issimple if the attacker can mimic the valid user's MAC address and useits assigned IP address. The attacker waits until the valid system stopsusing the network and then takes over its position in the network. Thiswould allow an attacker direct access to all devices within a network,or to use the network to gain access to the wider Internet, all thewhile appearing to be a valid user of the attacked network. Therefore,authentication and encryption become key concerns in implementation of aWLAN.

[0020] Authentication is the process of proving the identity of anindividual or application in a communication. Such identification allowsthe service provider to verify the entity as a valid user and also toverify the user for the specific services requested. Authentication andauthorization actually have very specific meanings, though the two namesare often used interchangeably, and in practice are often not clearlydistinguished.

[0021] Authentication is the process where a user establishes a right toan identity—in essence, the right to use a name. There are a largenumber of techniques that may be used to authenticate a user—passwords,biometric techniques, smart cards, certificates.

[0022] A name or identity has attributes associated with it. Attributesmay be bound closely to a name (for example, in a certificate payload)or they may be stored in a directory or other database under a keycorresponding to the name. Attributes may change over time.

[0023] Authorization is the process of determining whether an identity(plus a set of attributes associated with that identity) is permitted toperform some action, such as accessing a resource. Note that permissionto perform an action does not guarantee that the action can beperformed. Note that authentication and authorization decisions can bemade at different points, by different entities.

[0024] In a cellular network, the authentication feature is a networkcapability that allows cellular networks to validate the identity ofwireless device, thereby reducing unauthorized use of cellular networks.The process is transparent to subscribers. Customers are not required todo anything to authenticate the identity of their phones when they makea call.

[0025] Authentication typically involves a cryptographic scheme, whereinthe service provider and the user have some shared information and someprivate information. The shared information is typically referred to asa “shared secret.”

[0026] The A-Key

[0027] The authentication key (A-key) is a secret value that is uniqueto each individual cellular phone. It is registered with the cellularservice provider and stored in the phone and Authentication Center (AC).The A-key is programmed into the phone by the manufacturer. It can alsobe entered manually by the user, from the wireless device menu, or by aspecial terminal at the point of sale.

[0028] The wireless device and the AC must have the same A-key toproduce the same calculations. The primary function of the A-key is tobe used as a parameter to calculate the shared secret data (SSD).

[0029] The Shared Secret Data (SSD)

[0030] The SSD is used as an input for authentication calculations inthe wireless device and the AC, and is stored in both places. Unlike theA-key, the SSD may be modified over the network. The AC and the wirelessdevice share three elements that go into the calculation of the SSD: 1)the Electronic Serial Number (ESN); 2) the Authentication Key (A-Key);and 3) a RANDom number for Shared Secret Data calculation (RANDSSD).

[0031] The ESN and RANDSSD are transmitted over the network and over theair interface. The SSD is updated when a device makes its first systemaccess, and periodically thereafter. When the SSD is calculated, theresult is two separate values, SSD-A and SSD-B. SSD-A is used forauthentication. SSD-B is used for encryption and voice privacy.

[0032] Depending on the capabilities of the serving system, SSD may beshared or not shared between the AC and serving Mobile Switching Center(MSC). If secret data is shared, it means the AC will send it to theserving MSC and the serving MSC must be capable of executing CAVE. If itis not shared, the AC will keep the data and perform authentication.

[0033] The type of sharing affects how an authentication challenge isconducted. An authentication challenge is a message sent to challengethe identify of the wireless device. Basically, the authenticationchallenge sends some information, typically random number data, for theuser to process. The user then processes the information and sends aresponse. The response is analyzed for verification of the user. Withshared secret data, a challenge is handled at the serving MSC. Withnon-shared secret data, a challenge is handled by the AC. By sharingsecret data, the system may minimize the amount of traffic sent andallow challenges to happen more quickly at the serving switch.

[0034] Authentication Procedures

[0035] In a given system, a Home Location Register (HLR) controls theauthentication process by acting as intermediary between the MSC and AC.The serving MSC is set up to support authentication with the mobile'sHLR and vice versa.

[0036] The device initiates the process by notifying the serving MSC ifit is capable of authentication, by setting an authorization field inthe overhead message train. In response, the serving MSC starts theregistration/authentication process with an Authentication Request.

[0037] By sending the Authentication Request, the serving MSC tells theHLR/AC whether it is capable of doing CAVE calculations. The AC controlswhich of the serving MSC's as well as device capabilities will be usedout of those available. When the serving MSC does not have CAVEcapability, the SSD cannot be shared between the AC and MSC andtherefore all authentication processes are performed in the AC.

[0038] The purpose of the Authentication Request (AUTHREQ) is toauthenticate the phone and request SSD. The AUTHREQ contains twoparameters for authentication, the AUTHR and RAND parameters. When theAC gets the AUTHREQ, it uses the RAND and the last known SSD tocalculate AUTHR. If it matches the AUTHR sent in the AUTHREQ thenauthentication is successful. The return result to the AUTHREQ willcontain the SSD if it can be shared.

[0039] The Challenge

[0040] The Authentication process consists of a challenge and responsedialog. If SSD is shared, the dialog runs between the MSC and thedevice. If SSD is not shared, the dialog runs between the HLR/AC and thedevice. Depending on the switch type, the MSC may be capable of either aUnique Challenge, a Global Challenge, or both. Some MSCs are currentlynot capable of global challenge. The Unique Challenge is a challengethat occurs during call attempts only, because it uses the voicechannel. Unique challenge presents an authentication to a single deviceduring call origination and call delivery. The Global Challenge is achallenge that occurs during registration, call origination, and calldelivery. The Global challenge presents an authentication challenge toall MSs that are using a particular radio control channel. It is calledglobal challenge because it is broadcast on the radio control channel,and the challenge is used by all phones accessing that control channel.

[0041] During a challenge, the device responds to a random numberprovided by the MSC or AC. The device uses the random number and sharedsecret data stored in the device to calculate a response to the MSC. TheMSC also uses the random number and shared secret data to calculate whatthe response from the device should be. These calculations are donethrough the CAVE algorithm. If the responses are not the same, serviceis denied. The challenge process does not increase the amount of time ittakes to connect the call. In fact, the call may proceed in some cases,only to be torn down when authentication fails.

[0042] Wireless Local Area Networks (WLANs) have gained tremendouspopularity as a means of providing users with untethered access to IPdata networks. High Data Rate (HDR) networks such as 1xEV-DO networksand other third generation (3G) networks are also designed to offerhigh-speed data access; although the data rates they support aretypically lower than those of WLANs, 3G networks offer data coverageover a much wider area. Though they might be viewed as competitors, WLANand HDR networks may be complementary: WLANs offer high-capacity“hot-spot” coverage in public areas such as airport lounges and hotellobbies, while HDR networks can provide users with nearly ubiquitousdata service while on the move. Therefore, the same carrier may provideboth HDR and WLAN access services under a single user subscription. Thismeans that the MS uses the same authentication method and secret to bothtypes of access authentication.

[0043] One protocol, such as the Challenge Handshake AuthenticationProtocol (CHAP), which is also referred to as MD5-Challenge, may be usedfor both HDR network and WLAN access authentication. CHAP specificallyuses the RADIUS protocol to authenticate a terminal without sendingsecurity data. The MS is authenticated by its home RADIUS server,wherein the home RADIUS server and the MS share a root secret. After theMS is authenticated successfully via a CHAP challenge, the MS and thehome or HDR network derive the same encryption keys that are to be usedto protect traffic exchanged between the MS and the WLAN Access Point(AP).

[0044] After successful WLAN access authentication via a CHAP challenge,the home RADIUS server and the MS generate the same Master Session Key(MSK) from the shared root secret. The MSK will be used to deriveencryptions keys for the protection of actual traffic between the MS andthe AP of the WLAN. The shared root secret is configured to the MS andis static. The MSK is generated on a per packet data session and is onlyconstant during the session. For a new session, a new MSK is generatedfrom the shared root secret using a different random number.

[0045] Since the MSK is not required when the MS is accessing the HDRnetwork, one embodiment provides a mechanism to allow the home RADIUSserver to determine whether the MS is accessing WLAN or the HDR network.

[0046]FIG. 1 illustrates a communication system 100 including an HDRnetwork 106, a WLAN 104, and an MS 102. The MS 102 is able to access theHDR network 106, and has roamed into a WLAN 104 coverage area. The MS102 seeks access to the WLAN 104 via the AP 110 within the WLAN 104.Note that WLAN 104 may include any number of APs (not shown). The WLAN104 also includes an Authentication Authorization and Accounting entityor server 112. Note that the HDR network 106 also includes an AAA server108.

[0047]FIG. 2 illustrates the message flow for access authentication to aWLAN when CHAP or the MD5-Challenge is used in the communication system100. The MS 102 uses a Network Access Identifier (NAI) foridentification. The NAI has the format of username@realm, where realmidentifies the home network of the MS, which in this instance is HDRnetwork 106. The AAA server 112 in the WLAN network 104 initiates aRADIUS Access-Request message to the AAA server 108 at the home networkof the MS 102, i.e., to the HDR network 106. Note the HDR network 106may be any network that supports high data rate transmissions. The AAA108 then issues a CHAP Challenge to the MS 102 via the WLAN 104. The MS102 calculates a response based on the challenge, such as a randomnumber, and the response is conveyed as a RADIUS Access-Request requestto the AAA 108 via the WLAN 104. If authentication is successful, thehome AAA server 108 acknowledges such with a RADIUS Access-Acceptmessage granting the MS 102 access to the WLAN network 104. As discussedhereinabove, both the home AAA server 108 and the MS 102 generate a sameMaster Session Key (MSK) from a shared root secret.

[0048] As stated hereinabove, the CAVE algorithm is commonly used forcellular communications and therefore, is well used and distributed.Alternate algorithms for authentication are also used. Specifically indata communications a variety of algorithms exist of varying complexityand application. To coordinate these mechanisms, the ExtensibleAuthentication Protocol (EAP) has been developed as a general protocolframework that supports multiple authentication and key distributionmechanisms. The EAP is described in “PPP Extensible AuthenticationProtocol (EAP)” by L. Blunk et al, RFC 2284, published March 1998.

[0049] One such mechanism supported by the EAP as defined in “EAP AKAAuthentication” by J. Arkko et al., published as an Internet Draft inFebruary 2002, is the AKA algorithm. There is a need therefore to extendEAP to include the cellular algorithm CAVE. This is desirable to provideback compatibility for new systems and networks.

[0050] EAP

[0051] The Extensible Authentication Protocol (EAP) is a generalprotocol for authentication which supports multiple authenticationmechanisms. EAP does not select a specific authentication mechanismduring link set up and control, but rather postpones this until theauthentication procedure begins. This allows the authenticator torequest more information before determining the specific authenticationmechanism. The authenticator is defined as the end of the link requiringthe authentication. The authenticator specifies the authenticationprotocol to be used in the during link establishment.

[0052] Key Generation

[0053] A key hierarchy is the sequence of steps that are used togenerate from a root key a set of encryption keys that are used toeither encrypt/decrypt messages or authenticate messages. A keyhierarchy should include some time varying information so that the sameset of encryption keys is not generated each time the hierarchy is used.A key hierarchy should also be set up such that if the derivedencryption keys were to become known, the root key could not be obtainedfrom the encryption keys.

[0054] In one embodiment, an overall key hierarchy consists of threesmaller layered key hierarchies: master key hierarchy; rekeying keyhierarchy; and per-packet key hierarchy. The master key hierarchy mayinclude EAP keying, pre-shared key, or random number, depending on thehierarchy and authentication method. If EAP keying is used for themaster key hierarchy, the master key hierarchy will normally reside onthe RADIUS server.

[0055] The rekeying key hierarchy has two types which are calledPairwise key hierarchies and Group key hierarchies. The steps in thesetwo types of hierarchies are similar; only the inputs to the two typesare different.

[0056] The per-packet key hierarchy. This may be either for TKIP (usingan RC4 encryption engine), or for AES.

[0057] Pairwise key hierarchies are used to derive the keys that areused between two entities in a wireless network (AP and associatedstation, or a pair of stations in a network).

[0058] Group key hierarchies are used to derive and transfer keys thatare used by all entities in a wireless group (an AP and all stationsassociated with that AP in a network, or all entities in a network).

[0059] Pairwise key hierarchies are instantiated in parallel on the twoentities that are using the Pairwise key, with each entity calculatingthe same set of encryption keys using shared information. One of the twoentities drives the Pairwise key hierarchy, that entity is known as thePairwise key owner. For a given network, the Pairwise key owner is theAP; for other networks each possible pair of stations will have aPairwise key hierarchy, and the Pairwise key owner is the station of thepair with the lower Medium Access Control layer address.

[0060] Group key hierarchies are instantiated only on one entity, andthe derived encryption keys are promulgated to all the other entities;the entity that drives the Group key hierarchy is the Group key owner.For a given network, such as referred to as a Basic Service Set (BSS),the Group key owner is the AP; for an Independent Basic Service Set(IBSS) network the Group key owner is the current beacon transmitter.Note that a BSS network is made up of an AP and associated stations,whereas an IBSS network is made up of a set of stations, all of whichare peers of one another. As used herein station is a workstation, andincludes a mobile station or other wireless device capable of accessinga local area network.

[0061] Each station will have at least two key hierarchies'instantiated, and quite probably more. In a BSS network, the AP willhave a Pairwise key hierarchy instantiated for each station that isassociated, and also at least one Group key hierarchy; the AP will bethe key owner for all these hierarchies. Each associated station willhave one Pairwise key hierarchy instantiated, and at least one Group keyhierarchy. For the IBSS network, each station will have a Pairwise keyhierarchy instantiated for every other station in the network, as wellas a single Group key hierarchy.

[0062] The key owner will have a single Group rekeying hierarchyinstantiation for the Group keys, and a Pairwise rekeying hierarchyinstantiation for each association. A key owner will have a per-packetkey hierarchy per Temporary Key Integrity Protocol (TKIP) temporal keyfor both Group and Pairwise temporal keys (if any). A non-key owner willhave a rekeying hierarchy instantiation for Group keys and Pairwise keysper association, and a perpacket key hierarchy per TKIP temporal key forboth Group and Pairwise temporal keys (if any).

[0063] MSK

[0064] According to the exemplary embodiment, the MSK includes theCellular Message Encryption Algorithm (CMEA) key, which is used forprotecting MS traffic such as to a WLAN, and a Cipher Key (CK).

[0065]FIG. 3 illustrates the key hierarchy for generating encryptionkeys to protect traffic between the MS 102 and WLAN network 104. Theprocess begins with the negotiation of the MS 102 identity. The WLAN 104then sends a RADIUS access request message to the AAA 108, whichresponds with a RADIUS access challenge message. The WLAN 104 passes thechallenge to the MS 102, which calculates a response therefrom. The MS102 response to the challenge is then provided to the WLAN 104. In step4 a, after the MS 102 sends the authentication response to the WLAN 104,the MS 102 uses the root secret to generate the Master Session Key(MSK).

[0066] The WLAN 104 sends the RADIUS access request message to the AAA108, including the challenge response. In step 5 a, if the MS 102 isauthenticated successfully, the home AAA server 108 uses the MS 102 rootsecret to generate the same MSK as generated by the MS 102 at step 4 a.In step 6, the home AAA server 108 includes the MSK in the RADIUSAccess-Accept message, using an attribute, such as the MS-MPPE-Recv-Keyattribute. In step 7, the MS 102 and WLAN network 104 use the proceduressuch as those specified in the document entitled “Draft Supplement toStandard for Telecommunications and Information Exchange BetweenSystems—LAN/MAN Specific Requirements—Part 11: Wireless Medium AccessControl (MAC) and physical layer (PHY) specifications: Specification forEnhanced Security” IEEE Std 802.11i/D2.0, March 2002, (herein referredto as “the 802.11i standard), to generate encryption keys from the MSK.

[0067] The following provides two examples of algorithms and parametersused to generate the MSK in both the MS 102 and home AAA server 108. Ina first embodiment, the MSK is defined as:

MSK=hashing function (secret, challenge, NAI, secret)  (1)

[0068] Wherein the MSK is the result of applying a hashing function(e.g., CHAP, HMAC) using the following parameters:

[0069] MS 102 root secret;

[0070] The challenge used to authenticate MS 102 in steps 4-5 of FIG. 3;

[0071] MS 102 NAI; and

[0072] MS 102 root secret again.

[0073] According to this embodiment, the MS 102 and home AAA server 108have all the key materials necessary to generate the same MSKindependently. In other words, no additional key materials need beexchanged between the MS 102 and home AAA server 108 for MSK generation.Note that the MSK and the MS 102 access authentication response aregenerated from a same challenge value. An alternate embodiment generatesthe MSK from a different random value.

[0074] A second example, according to another embodiment, defines theMSK as:

MSK=hashing function (secret, NAI, random number)  (2)

[0075] Wherein the MSK is the result of applying a hashing function(e.g., CHAP, HMAC) on the following parameters:

[0076] MS 102 root secret;

[0077] MS 102 NAI; and

[0078] A random number generated by the home AAA server,

[0079] Wherein the random number is different from the challenge value.According to this embodiment, the MSK is generated from a random numberthat is different from the challenge value used in the MS 102 accessauthentication. The use of independent challenge values provides lesscorrelation between the MSK and the MS 102 access authentication, andtherefore, provides improved security. Note that the random number issent to the MS 102 and the MSK generated therefrom. The random number issent to the MS 102 via a RADIUS Access-Accept (step 6 in FIG. 3) and themechanisms defined in the 802.11i standard (step 7 in FIG. 3).

[0080] The procedure to generate MSK is used when the MS 102 isaccessing a WLAN 104, and is not used when the MS is accessing 1xEV-DOor other HDR network. This is due to the over the air encryptionprovided by the HDR system. As the MS initiates the access to either theWLAN network 104 or the HDR network 106, the MS 102 is able to determinewhether MSK generation is needed. However, the home AAA server must alsodetermine when to generate the MSK.

[0081] In one embodiment, a special RADIUS attribute is implemented tonotify the AAA 108 to generate an MSK. In steps 2 and 5 of FIG. 3, theWLAN network 104 sends the RADIUS Access-Request message containing aspecial or designated attribute indicating the MS 102 desires or isrequesting WLAN 104 access. The attribute status will trigger the homeAAA server 108 to perform MSK generation (if the MS 102 authenticationwas successful). When the designated attribute is not present in theRADIUS Access-Request message, the home AAA server 108 will not performMSK generation. Note that for implementation in a system consistent with3GPP2, the designated attribute is specific to 3GPP2 and thus may bedefined as a vendor-specific attribute with the vendor ID of 3GPP2.

[0082]FIG. 4 illustrates the RADIUS format described in RFC 2865entitled “Remote Authentication Dial In User Service (RADIUS)” by C.Rigney et al, published June 2000. The data format 200 includes: a codefield 202 identifying the type of RADIUS packet (e.g., access request,access reject, etc.); an ID field 204 to coordinate matching requestsand responses; and a length field 206 to indicate the length of theassociated packet. An attribute 220 is also illustrated, including: atype field 222 identifying the contents of the value field 226; a lengthfield 224 giving the length of the attribute; and a value fieldproviding the specific information of this attribute. Note that RADIUSsupports vendor-specific attributes, wherein the value field 226 is usedto provide the vendor identification, followed by the attributeinformation. The vendor-specific type may be as described in RFC 2548entitled “Microsoft Vendor-specific RADIUS Attributes” by G. Zorn,published March 1999, for application to CHAP messages.

[0083] An alternate embodiment implements a standard attribute calledthe Network Access Server (NAS) Internet Protocol (IP) address in theRADIUS Access-Request message. The standard attribute identifies the IPaddress of the RADIUS client originating the RADIUS Access-Requestmessage. The home AAA server 108 is configured with a databasecontaining the IP addresses of all the RADIUS clients in the WLANnetwork 104. If the IP address indicated in the NAS IP address attributematches an address in the database, then the RADIUS Access-Requestmessage is originated from the WLAN network 104, and the home AAA server108 will perform MSK generation (if the MS authentication wassuccessful). Otherwise, the home AAA server 108 will not perform MSKgeneration.

[0084] The format for the standard attribute is illustrated in FIG. 5,with an example superimposed over the value field. The attribute format300 includes a type field 302 identifying the contents of a value field306; a length field 304 giving the length of the attribute; and a valuefield 306 containing the attribute information. Note that withoutmodification to the description given in RFC 2865, the value field 306may be partitioned into significant fields for type 322 indicating thetype of sub-attribute, such as an MSK generation instruction; a lengthfield 324 giving the length of the sub-attribute; and a value field 326containing the sub-attribute information, such as an MSK generationindicator. As an example, to convey a message to the AAA 108 instructingthe AAA 108 on MSK generation, the type filed 322 may identify thissub-attribute as an MSK generation instruction using a correspondingpredefined code. The value field 326 would then have a value either:1—instructing the AAA 108 to generate an MSK; or 2—instructing the AAA108 to not generate the MSK.

[0085] A wireless device, such as MS 102, is illustrated in FIG. 6. Thedevice 600 includes receive circuitry 602 and transmit circuitry 604 forreceiving transmissions and sending transmissions, respectively. Thereceive circuitry 602 and the transmit circuitry 604 are both coupled toa communication bus 612. The device 600 also includes a CentralProcessing Unit (CPU) 606 for controlling operations within the device600. The CPU 606 is responsive to computer-readable instructions storedin memory storage devices within the device 600. Two such storagedevices are illustrated as storing the authentication procedure(s) 608and the MSK generation 610. Note that alternate embodiments mayimplement the procedure in hardware, software, firmware, or acombination thereof. The CPU 606 is then responsive to authenticationprocessing instructions from the authentication procedure 608. The CPU606 places the authentication procedure 608 messages into a transportformat, such as an EAP format. Upon authentication to a WLAN, the CPU606 is responsive to the MSK generation unit 610 to generate the MSK.The CPU 606 further processes received transport format messages toextract the authentication messages therefrom.

[0086] Note that while the embodiments described herein detail a WLAN,the methods and apparatus described herein are also applicable to othersystem entities. The present invention provides a method of enabling asystem entity to provide encryption to a communication. By using thehome server to generate the MSK, and providing the MSK to a systementity, that entity is provided sufficient information for securetransmissions to a user, such as a MS.

[0087] Those of skill in the art would understand that information andsignals may be represented using any of a variety of differenttechnologies and techniques. For example, data, instructions, commands,information, signals, bits, symbols, and chips that may be referencedthroughout the above description may be represented by voltages,currents, electromagnetic waves, magnetic fields or particles, opticalfields or particles, or any combination thereof.

[0088] Those of skill would further appreciate that the variousillustrative logical blocks, modules, circuits, and algorithm stepsdescribed in connection with the embodiments disclosed herein may beimplemented as electronic hardware, computer software, or combinationsof both. To clearly illustrate this interchangeability of hardware andsoftware, various illustrative components, blocks, modules, circuits,and steps have been described above generally in terms of theirfunctionality. Whether such functionality is implemented as hardware orsoftware depends upon the particular application and design constraintsimposed on the overall system. Skilled artisans may implement thedescribed functionality in varying ways for each particular application,but such implementation decisions should not be interpreted as causing adeparture from the scope of the present invention.

[0089] The various illustrative logical blocks, modules, and circuitsdescribed in connection with the embodiments disclosed herein may beimplemented or performed with a general purpose processor, a digitalsignal processor (DSP), an application specific integrated circuit(ASIC), a field programmable gate array (FPGA) or other programmablelogic device, discrete gate or transistor logic, discrete hardwarecomponents, or any combination thereof designed to perform the functionsdescribed herein. A general purpose processor may be a microprocessor,but in the alternative, the processor may be any conventional processor,controller, microcontroller, or state machine. A processor may also beimplemented as a combination of computing devices, e.g., a combinationof a DSP and a microprocessor, a plurality of microprocessors, one ormore microprocessors in conjunction with a DSP core, or any other suchconfiguration.

[0090] The steps of a method or algorithm described in connection withthe embodiments disclosed herein may be embodied directly in hardware,in a software module executed by a processor, or in a combination of thetwo. A software module may reside in RAM memory, flash memory, ROMmemory, EPROM memory, EEPROM memory, registers, hard disk, a removabledisk, a CD-ROM, or any other form of storage medium known in the art. Anexemplary storage medium is coupled to the processor such the processorcan read information from, and write information to, the storage medium.In the alternative, the storage medium may be integral to the processor.The processor and the storage medium may reside in an ASIC. The ASIC mayreside in a user terminal. In the alternative, the processor and thestorage medium may reside as discrete components in a user terminal.

[0091] The previous description of the disclosed embodiments is providedto enable any person skilled in the art to make or use the presentinvention. Various modifications to these embodiments will be readilyapparent to those skilled in the art, and the generic principles definedherein may be applied to other embodiments without departing from thespirit or scope of the invention. Thus, the present invention is notintended to be limited to the embodiments shown herein but is to beaccorded the widest scope consistent with the principles and novelfeatures disclosed herein.

What is claimed is:
 1. A method for key generation in a communicationsystem, comprising: authenticating an access to a Wireless Local AreaNetwork (WLAN); generating a Master Session Key (MSK) for the access;and sending an access accept message including the MSK.
 2. The method asin claim 1, wherein authenticating comprises: receiving a useridentification; determining a challenge value; and determining theshared secret, and wherein generating an MSK comprises: hashing the useridentification, the challenge value and the shared secret.
 3. Theapparatus as in claim 2, wherein the user identification is a NetworkAccess Identifier (NAI).
 4. The method as in claim 1, whereinauthenticating comprises: receiving a user identification; determining achallenge value; and determining a random value, and wherein generatingan MSK comprises: hashing the user identification, the challenge valueand the random value.
 5. The apparatus as in claim 4, wherein theapparatus identifier is a Network Access Identifier (NAI).
 6. A methodfor key generation in a communication system, comprising: requestingauthentication of an access to a Wireless Local Area Network (WLAN);receiving an access accept message including a Master Session Key (MSK)for the access; and generating at least one encryption key as a functionof the MSK, wherein the at least one encryption key is used to encrypttraffic for the access.
 7. An apparatus for key generation in acommunication system, comprising: means for authenticating an access toa Wireless Local Area Network (WLAN); means for generating a MasterSession Key (MSK) for the access; and means for determining anencryption key from the MSK.
 8. An apparatus for key generation in acommunication system, comprising: means for requesting authentication ofan access to a Wireless Local Area Network (WLAN); means for receivingan access accept message including a Master Session Key (MSK) for theaccess; and means for generating at least one encryption key as afunction of the MSK, wherein the at least one encryption key is used toencrypt traffic for the access.
 9. An apparatus, comprising: aprocessing unit; an authentication procedure unit coupled to theprocessing unit, adapted to request authentication of an access to asystem, and adapted to compute a response to a challenge for theauthentication; and a Master Session Key (MSK) generation unit coupledto the processing unit, adapted to generate an MSK, wherein the MSK isfor generating at least one encryption key to encrypt traffic for theaccess.
 10. The apparatus as in claim 9, wherein the MSK is generatedusing an apparatus identifier, a shared secret, and the challenge. 11.The apparatus as in claim 10, wherein the apparatus identifier is aNetwork Access Identifier (NAI).
 12. The apparatus as in claim 9,wherein the MSK is generated using an apparatus identifier, a sharedsecret, and a random number.
 13. The apparatus as in claim 12, whereinthe apparatus identifier is a Network Access Identifier (NAI).
 14. Amethod in a communication system, comprising: receiving an accessrequest message for an access to the communication system, the accessrequest message having a first field; determining the state of the firstfield; and if the state is a first value, generating a Master SessionKey (MSK) for the access.
 15. The method as in claim 14, furthercomprising: sending an access accept message, wherein: if the state isthe first value the access accept message includes the MSK.
 16. Themethod as in claim 15, further comprising: authenticating the access.17. The method as in claim 14, wherein the first field corresponds to anattribute indicating an access to an entity of the communication systemthat does not support encryption.
 18. The method as in claim 17, whereinthe entity is a Wireless Local Area Network (WLAN).
 19. The method as inclaim 14, wherein the first field corresponds to an attribute indicatingorigination of the access request message
 20. The method as in claim 14,further comprising: authenticating the access by: receiving a useridentification; determining a challenge value; and determining theshared secret, and wherein generating the MSK comprises: hashing theuser identification, the challenge value and the shared secret.
 21. Themethod as in claim 14, further comprising: authenticating the access by:receiving a user identification; determining a challenge value; anddetermining a random value, and wherein generating the MSK comprises:hashing the user identification, the challenge value and the randomvalue.
 22. An infrastructure element in a communication system,comprising: means for receiving an access request message for an accessto the communication system, the access request message having a firstfield; means for determining the state of the first field; and means forgenerating a Master Session Key (MSK) for the access if the state is afirst value.
 23. An access request message format for a communicationsystem, comprising: a type field identifying a type of attributeinformation for an access to the communication system; and a value fieldfor the attribute information, the value field comprising: a second typefield identifying a type of sub-attribute information for the access;and a second value field for the sub-attribute information.
 24. Theaccess request message format as in claim 23, wherein the sub-attributeinformation is a Master Session Key (MSK) generation instruction.